Is journalism failing cybersecurity?

As hacking rises up the agenda, more pressure falls on hacks to report.

Journalists, at least in Britain, do not enjoy rude popularity.

Yet even if the public has little faith in journalists, the media has been warmly received by the cybersecurity industry. In this reporter’s travels almost everyone in the sector has credited coverage of breaches against Target, eBay and JP Morgan to the field’s increased funding and attention from the boardroom.

The trouble, as a panel of eminent reporters told the RSA Conference, is that such coverage may be driving the industry into a rut. As public awareness of cybersecurity has grown the news agenda has changed, and not all the consequences are good.

A surfeit of news

Once a niche interest, cybersecurity now regularly makes the front page of mainstream news sites, which many think is good for the industry. Yet such is the investment and demand in the sector reporters now have to contend with a surfeit of reports and figures, as vendors vie for coverage.

"I think the worst part of my job is the constant triage I have to do," said Joseph Menn, a technology reporter at the newswire Reuters. "I hate doing that and it is getting harder. We have to keep raising the bar on what’s newsworthy or fresh or different."

Nicole Perlroth, technology reporter at the New York Times, put it a different way: "We don’t cover every murder in New York anymore, so why should we cover every breach?"

She added that she had inadvertently encouraged vendors to research state-sponsored hacking groups, known as advanced persistent threats (APTs), simply by covering APT1, an early example of such an outfit detailed by the security firm Mandiant in February 2013.

"I now get the sense every security start-up thinks they are going to make their name with an APT report," she said. At least in the case of Kaspersky, which wrote about an outfit called Carbanak which was attacking banks around the world, such reports are proving fruitful. But how helpful is that for the industry as a whole?

Much noise, little signal

Whilst coverage may be enticing venture capitalists to spend big on security start-ups, the evidence of behaviour improving among punters is less strong. The OpenSSL bug Heartbleed, perhaps the most famous computer glitch in history, led to little change, with the security vendor Venafi estimating that three-quarters of the Forbes 2,000 still have public-facing systems vulnerable to it today.

Some suggest the repetitive nature of cybersecurity stories is boring people. "I have to admit even I get sick of these stories," said Brian Krebs, who runs the Krebs On Security blog. "At some level you have to ask: ‘Does this breach really matter?’"

As he mischievously added, much of the furore over headline breaches ignores the fact that so much information has already been compromised. Much of his reporting has chronicled the widespread trade in credit card data online, which though low-key is arguably a greater threat over the long-term than front page breaches.

"I think the hacking that your grandmom could do gets way too much coverage," Menn added. The panel even suggested that "frothy" reporting could led to frothy hacking, as political campaigners and trolls seek to draw attention to themselves through newsworthy attacks, as was the case with Lizard Squad’s denial-of-service assaults on gaming networks last December.

Future imperfect

Whilst the panel were open about the limits of cybersecurity coverage, they did at least see some cause for optimism. Krebs noted that "raw intelligence" on cybercriminals is readily available on many forums, often having been designed with the intention of being found through search engines.

Nobody doubted the appetite for coverage either. "There’s so much bad writing about cybersecurity right now that if you actually know something about security I think there’s an opening there," Menn said, though Perlroth pointed out that those with that knowledge could probably make more money doing security than writing about it.

For now at least, the cybercrime wave is making for goods stories and some rewarding occupations. "I’ve never been as worried about the evil things that will happen through vulnerabilities as a lot of people," said Kevin Poulson, contributing editor at Wired and former black hat hacker. "If nothing happened this would be a very boring job."